12-05-2012 07:34 AM - edited 12-06-2012 03:20 AM
Been reading about CPNA which jumps up on detection of CP to allow user to login so the device can very connectivity by retrieving the "Success" page.. Users are able to login to CP, but the "close button" doesnt work, I assume as it is appearing within the CPNA rather than the browser, consequently the conneciton is terminated.
Connection to apple therefre needs to be allowed without the need to lgoin to the CP, and therefore not invoke the CPNA? Once the iPad has then done this, it would then be possible to activate it, the open safari and be presented with the CP?
Ive found this thread:
But cant even find how to enable the dns server on the gui!
Figuring it out.. slowly!!
config t ip name-server 220.127.116.11 ip domain-name <your company.com> ip domain-lookup netdestination apple name *.apple.com exit
Cant seem to insert the list line
12-06-2012 05:44 AM
Ive been able to get this working by opening up the test captive portal to essentially go anywhere.. as I wasnt having any joy trying to restrict it to the "apple" alias.. however, I dont think Ive been able to configure this correctly, as it wouldnt accept the last line of code.
Most place I like, are wanting me to define an IP/Subnet for the destination network, which I very much doubt Im going to be able to find. Ive gone onto cli to ping apple.com and it is resolving.... so this seems ok.. but it wont work unless I have the permit any/any at the top.. so tomthings not quite right somewhere...
12-12-2012 04:47 AM
- You're using a setup with Controller having the captive portal.
- The client you connect to the wireless lands in the guest-logon (or equivalent) role and is given basic network access through the logon-control and captiveportal policies.
- The client is assigned correct network info (ip/gateway/dns etc).
This CLI command should then do it for you:
ip access-list session "ios-cnafix"
alias "user" alias "apple.com" svc-http permit position 1 queue low
access-list session "ios-cnafix" position 1
Basics here are to
- create the alias for the destination you want to open access for
- add that alias to a (new) firewall policy
- add that firewall policy to the logon role which your users land in once connected
Another option I belive should give the same result would be the Walled Garden access (excerpt from 6.1UG, but should work the same in 5.x also):
(host)(config)# conf t
(host)(config)# netdestination "apple.com"
(host) (config) #aaa authentication captive-portal default
(host)(Captive Portal Authentication Profile "default")#white-list apple.com
(host)(Captive Portal Authentication Profile "default")#!
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
12-12-2012 07:10 AM - edited 12-12-2012 07:35 AM
Thanks for your assistnace..
failing at the first hurdle again!
conf t netdestination "apple.com" name apple.com
" name" isnt a recognised command...
(config) #netdestination "apple.com"
% Invalid input detected at '^' marker.
host Configure a single host
invert Use all destinations EXCEPT this destination
network Configure a subnet
no Delete Command
range Configure a range of IP addresses
I carried on regardless.. and saw the config in the gui.. which was the same as Id tried before.. and the cna still pops up. domain lookup is enabled and I can ping apple.com.. so I know its resolving from the box ok.
We are using an upstream proxy server, but this info should be getting obtained from wpad.dat file.. which is the first rule in the guest logon policy. I know the wpad file works, as when on !auto" and logged in, I can see conections going through the proxy server...
For sanity testing.. I added an "any any permit" rule which worked... so Im 99.9% sure it is an aruba fw config issue... Ive tried hosting the "success" page on the proxy/dns server with a static dns entry resolivng apple.com to itself.. and successfully tested with the www.apple.com/library/test/success.html.. but still didnt work. Ive tried an apple.com destination nat to the proxy server, hoping to retrieve the "success" page this way.. but that didnt work either!